When dealing with NTFS (New Technology File System), one of the most crucial components to understand is the Master File Table (MFT).
Think of it as the backbone of the file system—it stores metadata for every file and folder, keeping track of things like timestamps, ownership, and even deleted files.
Allocated vs. Unallocated Metadata Entries
Just like storage clusters, metadata entries in the MFT can either be allocated (actively in use) or unallocated (no longer assigned to a file). If a metadata entry is unallocated, it falls into one of two categories:
It has never been used before (essentially empty).
It was used in the past, meaning it still contains traces of a deleted file or directory.
This is where forensic investigations get interesting. If an unallocated metadata entry still holds data about a deleted file, we can recover information like filenames, timestamps, and ownership details. In some cases, we may even be able to fully recover the deleted file—provided its storage clusters haven't been overwritten yet.
How Metadata Entries Are Assigned
MFT entries are typically assigned sequentially. This means that when new files are created rapidly, their metadata records tend to be grouped together in numerical order.
Let’s say a malicious program named "mimikatz.exe" runs and extracts several resource files into the sysetm32 directory. Because all these files are created in quick succession, their metadata entries will be next to each other in the MFT.
A similar thing happens when another malicious executable, "svchost.exe", runs and drops a secondary payload ("a.exe"). This action triggers the creation of prefetch files, and since they’re created almost instantly, their MFT entries are also close together. This pattern helps forensic analysts track down related files during an investigation.
The Hidden Clues in MFT Clustering
While this clustering pattern isn’t guaranteed in every case, it’s common enough that it can serve as a backup timestamp system.
Even if a hacker tries to manipulate file timestamps (a technique called timestomping), looking at the MFT sequence can reveal when files were actually created. This makes it a valuable tool for forensic analysts.
Type | Name | Type | Name |
0x10 | $STANDARD_INFORMATION | 0x90 | $INDEX_ROOT |
0x20 | $ATTRIBUTE_LIST | 0xA0 | $INDEX_ALLOCATION |
0x30 | $FILE_NAME | 0xB0 | $BITMAP |
0x40 | $OBJECT_ID | 0xC0 | $REPARSE_POINT |
0x50 | $SECURITY_DESCRIPTOR | 0xD0 | $EA_INFORMATION |
0x60 | $VOLUME_NAME | 0xE0 | $EA |
0x70 | $VOLUME_INFORMATION | 0xF0 | |
0x80 | $DATA | 0x100 | $LOGGED_UTILITY_STREAM |
Breaking Down the MFT Structure
Every file, folder, and even the volume itself has an entry in the MFT. Typically, each entry is 1024 bytes in size and contains various attributes that describe the file.
Here are some of the most commonly used attributes:
$STANDARD_INFORMATION (0x10) – Stores general details like file creation, modification, and access timestamps.
$FILE_NAME (0x30) – Contains the filename and another set of timestamps.
$DATA (0x80) – Holds the actual file content (for small files) or a pointer to where the data is stored.
$INDEX_ROOT (0x90) & $INDEX_ALLOCATION (0xA0) – Used for directories to manage file listings.
$BITMAP (0xB0) – Keeps track of allocated and unallocated clusters.
Timestamps and Their Forensic Importance
NTFS records multiple sets of timestamps, and they don’t always update the same way.
Two of the most important timestamp attributes are:
$STANDARD_INFORMATION timestamps – These are affected by actions like copying, modifying, or moving a file.
$FILE_NAME timestamps – These remain more stable and can serve as a secondary reference.
Because these two timestamp sets don’t always update together, analysts can spot inconsistencies that reveal timestomping attempts.
For instance, if a file’s $STANDARD_INFORMATION creation time differs from its $FILE_NAME creation time, it could mean that someone tampered with the timestamps.
Real-World Challenges in Analyzing NTFS Metadata
While these timestamp rules are generally reliable, they aren’t foolproof. Changes in Windows versions, different file operations, and even tools like the Windows Subsystem for Linux (WSL) can alter how timestamps behave.
For example:
In Windows 10 v1803 and later, the "last access" timestamp may be re-enabled under certain conditions.
The Windows Subsystem for Linux (WSL) updates timestamps differently than the standard Windows shell.
Final Thoughts
Analyzing NTFS metadata can unlock a wealth of information, helping forensic investigators reconstruct file activity even after deletion or manipulation. Understanding sequential MFT allocations, timestomping detection, and the role of multiple timestamps is essential for building a strong case in digital forensics.
By looking beyond standard timestamps and diving into the metadata, analysts can uncover hidden traces of activity—providing crucial evidence in cybersecurity investigations.
----------------------------------------Dean---------------------------------------------
Comments